CN102300212A - Method and system for realizing individualized resource security access control - Google Patents
Method and system for realizing individualized resource security access control Download PDFInfo
- Publication number
- CN102300212A CN102300212A CN2011102261835A CN201110226183A CN102300212A CN 102300212 A CN102300212 A CN 102300212A CN 2011102261835 A CN2011102261835 A CN 2011102261835A CN 201110226183 A CN201110226183 A CN 201110226183A CN 102300212 A CN102300212 A CN 102300212A
- Authority
- CN
- China
- Prior art keywords
- user
- module
- self
- organizing
- authentication
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The invention discloses a method and system for realizing individualized resource security access control. The method comprises the following steps that: a context sensing module acquires characteristic identity information related to a user, and environment and resource capability characteristic information related to the identity information; after the changing condition of the characteristic information is filtered and processed by the context sensing module, a corresponding event is formed and notified to a security policy module, and the security policy module determines a real-time security policy of the user on the basis of the context changing condition of the user and a basic security policy set; and within a configurable life cycle of the real-time security policy of the user, an authenticating module and an authorizing module acquire the real-time security policy of the user from the security policy module and dynamically update authenticating and authorizing mechanisms of the user according to the real-time security policy of the user. By the method and the system, the context sensing technique of the user and the corresponding real-time security policy of the user are combined, so that the continuousness and dynamic property of resource security service of Internet of Things can be effectively supported.
Description
Technical field
The present invention relates to the communications field, be specifically related to a kind of method and system of realizing the personalized safe access control of resource.
Background technology
Internet of Things is the network of a network high complexity, isomery.The degree of depth that Internet of Things has demonstrated fully physical world and information space merges, and the mankind can be dissolved in the incorporate intelligent ecological environment, realizes the collaborative unification of people, machine, thing.
It originally is one of important technology of computer application field that context-aware is calculated.Because this technology can significantly strengthen the intelligent of computer application, since the end of the nineties in last century, just becomes one of popular studying technological domain.Development along with technology of Internet of things recent years, intelligence perception and Based Intelligent Control thought popularizing in living environment, and label technique and sensor technology and development of wireless communication devices with combine, for making up intelligent context-aware infrastructure, perception surrounding environment, providing the important technology support for mankind's service on one's own initiative.
Widely accepted " context " is defined as: any information that can be used to describe substance feature.Described entity can be people, place, application, user, and other and application and user interact and related various object.Context-aware is calculated and is generally used for being described below model of mind: user, service and resource can be found other users, service and resource, simultaneously they are integrated to finish cooperation, can need not to produce correct intelligent behavior under the too much prerequisite of intervening of user.Such as, specific to the Internet of Things field, enclose label by giving all objects (comprising people and article), thereby set up corresponding relation between the object in individuality in physical space and the information space, by observation and identification state of user and behavior, provide true feasible approach for making up intelligent context-aware computing application.
Referring to Fig. 1, Fig. 1 has imagined three possible class passengers of airport terminal, comprising: the non-passenger of boarding, common ID passenger and the honored guest ID passenger that boards that boards.The air station flight building may provide as wireless network resource, data resource and content resource etc. in interior resource service for this three classes passenger, and can control three class passengers by safety inspection, special channel and enter VIP Lounge.
At present, can't provide different resource occupation modes automatically for different passengers in different positions.As the honored guest ID passenger that boards, board by special channel to the end from entering the airport hall, wherein need repeatedly oneself to submit to as vouchers such as air tickets, obtain corresponding resources use right with the mode of artificial checking and limit.
Secondly, when resource access environment changes (changing such as network environment), because system need obtain passenger's checking voucher once more, so can not provide the resource access service without interruption for the passenger.
At last,, after by safety check, still need repeatedly manually to provide vouchers such as air ticket, just can enter VIP Lounge and use special channel as the honored guest ID passenger that boards.
In sum as seen, the access control of resource has the following disadvantages in the existing Internet of Things:
At first, shortage is to effective support of the personalized security service of resource.
Secondly, lack the continuity of resource security service and effective support of dynamic.
At last, efficient is not high, and the resource service user experience is poor, and the develop and field difficulty is big.
Summary of the invention
In view of this, main purpose of the present invention is to provide a kind of method and system of realizing the personalized safe access control of resource, with the continuity and the dynamic of effective holder networked resources security service.
For achieving the above object, technical scheme of the present invention is achieved in that
A kind of method that realizes the personalized safe access control of resource, this method comprises:
In passive or mode initiatively, obtain the feature identity information of user's association by the context-aware module, and the environment of this identity information association and resource capability characteristic information; After the filtration and processing of the situation of change of described characteristic information through the context-aware module, form events corresponding and be notified to the security strategy module, the security strategy module is determined user's actual time safety strategy based on user's context situation of change and the set of basic security strategy; In described user's the configurable life cycle of actual time safety strategy, authentication module and authorization module obtain user's actual time safety strategy in the mode that inquiry or notice receive from the security strategy module, dynamically update user's authentication mechanism and licensing scheme in view of the above.
The process of described definite user's actual time safety strategy comprises:
With active or passive mode, obtain the feature identity information related by the context-aware module with each user, and associated environment and the resource capability characteristic information of this feature identity information; The filtration of the above-mentioned information via context-aware module that relates to feature and handle after, form events corresponding and be notified to the security strategy module, the security strategy module based on basic security strategy set, is set up the actual time safety strategy that is associated with the user according to the event change situation;
The process of upgrading described authentication and authorization mechanism comprises: described user's actual time safety strategy is offered self-organizing authentication module and self-organizing authorization module by the mode of inquiring about feedback or notice, self-organizing authentication module and self-organizing authorization module are according to the security strategy of receiving, based on authentication knowledge base and security decision storehouse, set up and upgrade the real-time authentication mechanism and the resource authorization authority of relative users automatically respectively.
When setting up described user's actual time safety strategy, the security strategy module based on basic security strategy set, is set up the actual time safety strategy that is associated with the user according to the user resources request.
When self-organizing authentication module and self-organizing authorization module are set up described authentication mechanism and resource authorization authority; actual time safety strategy according to each user who sets up; for the user automatically dynamically provides corresponding real-time authentication mechanism and licensing scheme, use locked resource according to authorization privilege to support each user.
When described context-aware module is obtained the described information that relates to feature, dynamically perception, processing and transmission user linked character information change situation, and with event mode notice security strategy module, the security strategy module is upgraded user's actual time safety strategy.
Described actual time safety strategy has the life cycle of configurable foundation, operation, renewal and cancellation;
In the life cycle of user's actual time safety strategy, each user's that self-organizing authentication module and self-organizing authorization module are safeguarded real-time authentication and licensing scheme have the life cycle of corresponding foundation, operation, renewal and cancellation.
This method also comprises:
The user withdraws from resource, and the security strategy module is nullified corresponding user's actual time safety strategy; Self-organizing authentication module and self-organizing authorization module are nullified corresponding authentication mechanism and licensing scheme.
The personalized safe system of access control of a kind of realization resource, this system comprises actual time safety strategic decision-making unit, authentication and licensing scheme decision package; Wherein,
Described actual time safety strategic decision-making unit is used for the incident that based on context sensing module provided, and based on basic security strategy set, determines user's actual time safety strategy;
Described authentication and licensing scheme decision package are used for the actual time safety strategy according to the described actual time safety strategic decision-making fixed described user in unit, set up, upgrade or nullify described user's real-time authentication and licensing scheme automatically.
Described actual time safety strategic decision-making unit comprises context-aware module, security strategy module; Described authentication and licensing scheme decision package comprise: self-organizing authentication module, self-organizing authorization module; Wherein,
Described context-aware module is used for obtaining the feature identity information related with each user automatically, and associated environment and the resource capability characteristic information of this feature identity information; And after the above-mentioned information via that relates to feature is filtered and handles, form events corresponding and be notified to the security strategy module;
Described security strategy module is used for according to the event change situation, based on the set of basic security strategy, sets up the actual time safety strategy that is associated with the user and offers self-organizing authentication module and self-organizing authorization module by inquiry feedback or the mode notified;
Described self-organizing authentication module and self-organizing authorization module are used for according to automatic real-time authentication mechanism and the resource authorization authority of setting up and upgrading relative users of the security strategy of receiving.
When setting up described user's actual time safety strategy, described security strategy module is used for according to the user resources request, based on basic security strategy set, sets up the user's who is associated with the user actual time safety strategy;
At least include but not limited to context driven unit, life cycle management assembly, basic security policycomponents, security policy manager interface and user's actual time safety policy components in the described security strategy module.
When described self-organizing authentication module and self-organizing authorization module are set up described user's real-time authentication mechanism and resource authorization authority, be used for actual time safety strategy according to each user who sets up, respectively based on authentication knowledge base and security decision storehouse, for the user automatically dynamically provides corresponding authentication mechanism and licensing scheme, use locked resource according to authorization privilege to support each user;
At least include but not limited to following assembly in the described self-organizing authentication module: authentication knowledge base, self-organizing processing components, user's real-time authentication assembly and life cycle management assembly;
At least include but not limited to following assembly in the described self-organizing authorization module: security decision storehouse, self-organizing processing components, user's real-time authorization assembly and life cycle management assembly.
When described context-aware module is obtained the described information that relates to feature, be used for dynamic perception, processing and transmission user linked character information change situation, and, trigger the actual time safety strategy that the security strategy module is upgraded the user with event mode notice security strategy module;
At least include but not limited to sensor groups perception component, user role perception component, resource perception component, event handling assembly, event-driven assembly and Applied layer interface in the described context-aware module.
The life cycle that described user's actual time safety strategy has foundation, operation, renewal and nullifies;
In the life cycle of user's actual time safety strategy, each user's that self-organizing authentication module and self-organizing authorization module are safeguarded real-time authentication and licensing scheme have the life cycle of corresponding foundation, operation, renewal and cancellation.
When the user withdrawed from resource, described security strategy module also was used to nullify corresponding user's actual time safety strategy; Described self-organizing authentication module and self-organizing authorization module also are used to nullify corresponding user's real-time authentication mechanism and licensing scheme.
This system also comprises safety management module, is used for the basic security policing parameter of security strategy module, self-organizing authentication module and self-organizing authorization module is imported and managed.
The inventive method and system, the user's context cognition technology is combined with user's actual time safety strategy, and in the user uses the whole life of resource, automatically upgrade corresponding real-time authentication of each user and licensing scheme, has following advantage: at first, can dynamically provide the seamless access control service ability of resource whenever and wherever possible, effectively the continuity and the dynamic of the security service of holder networked resources effectively according to the variation of characteristic information around the user for the user; Secondly, can be provided at personalized security service support under the complex network environment, thereby greatly promote the satisfaction of user experience for the user; Have high efficiency, easy exploiting when at last, realizing the personalized safe access control of resource and dispose easily.
Description of drawings
Fig. 1 is the principle schematic that an example is realized the personalized safe access control of resource in the prior art;
Fig. 2 is the embodiment of the invention realizes the personalized safe access control of resource in Internet of Things a principle schematic;
Fig. 3 is the context-aware modular assembly figure of the embodiment of the invention;
Fig. 4 is the security strategy modular assembly figure of the embodiment of the invention;
Fig. 5 is the self-organizing authentication module component drawings of the embodiment of the invention;
Fig. 6 is the self-organizing authorization module component drawings of the embodiment of the invention;
Fig. 7 is one embodiment of the invention realizes the personalized safe access control of resource in Internet of Things a flow chart;
Fig. 8 is another embodiment of the present invention realizes the personalized safe access control of resource in Internet of Things a flow chart;
Fig. 9 realizes the general flow chart of the personalized safe access control of resource for the embodiment of the invention;
Figure 10 realizes the personalized safe system of access control figure of resource for the embodiment of the invention.
Embodiment
In actual applications, can provide a kind of and can in Internet of Things, realize the personalized safe system of access control of resource, comprise:
Safety management module is used for the input of basic security policing parameter and the management of system safety policy module, self-organizing authentication module and self-organizing authorization module.
The context-aware module is used to receive user resources and inserts request, and inserts to the residing environment of user, with the user and to ask relevant all kinds of resource statuss, and the context of other dependent events and object receives, handles and sends.At least include but not limited to sensor groups perception component, user role perception component, resource perception component, event handling assembly, event-driven assembly and Applied layer interface in the context-aware module.
The security strategy module is used to receive the security strategy basic parameter that safety management module provides, and response user's context change events, generates (as independently generating for each user) user's actual time safety strategy for the user.At least include but not limited to context driven unit, life cycle management assembly, basic security policycomponents, security policy manager interface and user's actual time safety policy components in the security strategy module.
The user's that provides according to the security strategy module actual time safety policing parameter is provided the self-organizing authentication module, in conjunction with the authentication knowledge base, creates user's real-time authentication mechanism.For (as independently providing for each user) personalized authentication service ability is provided the user, and be used to guarantee the continuity of security service.At least include but not limited to following assembly in the self-organizing authentication module: authentication knowledge base, self-organizing processing components, user's real-time authentication assembly and life cycle management assembly.
The self-organizing authorization module, the user's that the user provides according to the security strategy module actual time safety policing parameter in conjunction with the security decision storehouse, is created user's real-time authorization mechanism.For each user independently authorizes personalized resources use right limit.At least include but not limited to following assembly in the self-organizing authorization module: security decision storehouse, self-organizing processing components, user's real-time authorization assembly and life cycle management assembly.
Based on said system, can be by context-aware module perception user environment context and resource context, and, set up actual time safety strategy with this user-dependent user, and and then set up the real-time authentication and the licensing scheme of relative users by the security strategy module according to the user resources request.
User's actual time safety strategy has configurable life cycle, and in the regular hour, the actual time safety strategy has foundation, moves, upgrades and nullify four kinds of operating states.In the life cycle of user's actual time safety strategy, self-organizing authentication module and self-organizing authorization module can use the mode of inquiry feedback or passive notice, obtain the actual time safety strategy of relative users by the security strategy module, and set up corresponding real-time authentication mechanism and licensing scheme.User's real-time authentication that self-organizing authentication module and self-organizing authorization module are safeguarded and licensing scheme have and the corresponding life cycle of user's actual time safety strategy.
System's self-organizing authentication module and self-organizing authorization module; actual time safety strategy according to each user who sets up; respectively based on authentication knowledge base and security decision storehouse; automatically for the user dynamically provides real-time authentication mechanism and licensing scheme, each user uses locked resource according to the ultimate authority authority.
The context-aware module can the perception user, the characteristic information of environment and resource.When these characteristic informations change, the context-aware module can filter and handle useful message, finally the mode with incident sends to the security strategy module, the security strategy module is upgraded this user's actual time safety strategy and is notified to the self-organizing authentication module, and self-organizing authentication module and self-organizing authorization module upgrade the real-time authentication mechanism and the licensing scheme of relative users automatically according to the security strategy of receiving.The user uses locked resource according to upgrading the determined authorization privilege in back.
When the user withdrawed from resource, the security strategy module was nullified corresponding user's actual time safety strategy.Self-organizing authentication module and self-organizing authorization module are nullified the real-time authentication mechanism and the licensing scheme of relative users.
Also describe the present invention in conjunction with the embodiments in detail below with reference to accompanying drawing.Need to prove that under the situation of not conflicting, embodiment and the feature among the embodiment among the application can mutually combine.
Referring to Fig. 2, Fig. 2 is the embodiment of the invention realizes the personalized safe access control of resource in Internet of Things a principle schematic.Among Fig. 2, resource pool includes but not limited to protected data resource, Internet resources, content resource, Network and the application that the network user may use, and other protected context and object etc. in the network.
The user includes but not limited to the provider of terminal use and service and application etc.
Sensor groups comprises one or more transducers that are used for perception user physical environment parameter, is used to collect user's physical environment characteristic information.
Referring to Fig. 3, Fig. 3 is the context-aware modular assembly figure of the embodiment of the invention.Among Fig. 3, the context-aware module should include but not limited to assembly as shown in Figure 3, to be achieved as follows function: collect the contextual situation of change of resource that the user may use by the resource perception component, collect user's physical environment change in context situation by the sensor groups perception component, collect user role change in context situation by the user role perception component, handle the incident collected and according to regular polymerization, filtration and judgement validity event type by the event handling assembly.The context-aware module collects, handles and send user's initial context information by said modules, notify the actual time safety strategy of security strategy module with the initialization user by event-driven assembly and application interface.The user uses in the process of resource, and user's context changes will be by the event-driven assembly notice security strategy module of context-aware module, to make events corresponding reaction action.
Referring to Fig. 4, Fig. 4 is the security strategy modular assembly figure of the embodiment of the invention.Security strategy module shown in Fig. 2 should include but not limited to assembly as shown in Figure 4, and to be achieved as follows function: basic security policycomponents is by the security policy manager interface, and according to the requirement of safety management module, the security strategy of initializing universal is gathered.The context driven unit is the context events (as user network change, physical environment change etc.) that provides of sensing module based on context, requirement with reference to basic security policycomponents, set up user's actual time safety strategy for the user, with the access control security mechanism of dynamically adapting user, and provide personalized, successional security service for the user to resource.The life cycle management assembly is used to finish initialization, runtime, renewal and the cancellation management to user's actual time safety strategy.
Safety management module includes but not limited to that the security parameter of finishing security strategy module and self-organizing authentication module is provided with and manages.
Referring to Fig. 5, Fig. 5 is the self-organizing authentication module component drawings of the embodiment of the invention.The self-organizing authentication module can be organized the real-time authentication mechanism of relative users automatically according to each user's actual time safety policing parameter, finishes the authentication that each user resources is inserted application.Self-organizing processing components in the self-organizing authentication module can the query safe policy module, obtains corresponding actual time safety strategy in view of the above automatically, and in conjunction with the authentication knowledge base, sets up real-time authentication mechanism corresponding to each user by user's real-time authentication assembly.The self-organizing processing components also can receive the security strategy change notice that the security strategy module is sent, automatically organize suitable user's real-time authentication mechanism in view of the above, and authentication result and user's actual time safety strategy sent to the self-organizing authorization module, to finish the automatic renewal that resource in the user resources life cycle inserts authority.
Referring to Fig. 6, Fig. 6 is the self-organizing authorization module component drawings of the embodiment of the invention.The self-organizing authorization module can be organized corresponding real-time authorization mechanism automatically according to each user's actual time safety policing parameter, finally finishes the mandate that each user resources is inserted.Self-organizing processing components in the self-organizing authorization module can be obtained each user's actual time safety policing parameter from the self-organizing authentication module, and in conjunction with the security decision storehouse, by the real-time authorization mechanism of user's real-time authorization assembly foundation corresponding to each user, finally to finish mandate, allow the user to use resource to the user resources application.
Referring to Fig. 7, Fig. 7 is one embodiment of the invention realizes the personalized safe access control of resource in Internet of Things a flow chart, and this flow process comprises the steps:
S702: safety management module is finished the initialization setting to the associated safety parameter of security strategy module, self-organizing authentication module and self-organizing authorization module.Described relevant parameter includes but not limited to: is used for the set of configure base security strategy, is used for disposing self-organizing authentication module authentification of user regular collection, and the parameter that is used to dispose self-organizing authorization module or authorization privilege.
S704: the pairing actual time safety strategy of initialization user.Concrete steps are: the user uses resource pool, and resource pool related service or application insert request with the user and send to context-aware module and self-organizing authorization module.The context-aware module is collected and the process user context, and notice security strategy module, and the security strategy module is according to each user's context and the set of basic security strategy, this user's of initialization actual time safety strategy.
S706: the user uses resource according to authorization privilege.Concrete steps are: the self-organizing authentication module obtains the actual time safety strategy of user's correspondence by inquiry, and self-organizing authentication and self-organizing authorization module are taked authentication mechanism and licensing scheme corresponding to each user according to the described security strategy of obtaining.The user uses locked resource according to authorization privilege.The actual time safety strategy of user's correspondence is in running status.
S708: the actual time safety strategy of logging off users, authentication and authorization mechanism.Concrete steps are: the user withdraws from service or uses, and the security strategy module is nullified its corresponding user's actual time safety strategy.Self-organizing authentication module and self-organizing authorization module are nullified corresponding real-time authentication mechanism and licensing scheme.
S710: user's key contextual is upgraded, and the user uses shielded resource according to the authorization privilege after upgrading.Concrete steps are: user's key contextual parameters changes, and as network environment, place etc., the context-aware module is with this event notice security strategy module, and the security strategy module is upgraded this user's actual time safety strategy, and notice self-organizing authentication module.Self-organizing authentication and authorization module is according to this actual time safety policy update user's real-time authentication mechanism and licensing scheme.The user uses locked resource according to the authorization privilege after upgrading.
Referring to Fig. 8, Fig. 8 is another embodiment of the present invention realizes the personalized safe access control of resource in Internet of Things a flow chart, and this flow process comprises the steps:
S802: send user resources to resource pool and insert request.
In actual the use, described request may be manually to be initiated by the user, also may be that the specific physics awareness apparatus that the context-aware module perceives with user identity binding enters special scenes, sends application from the trend resource pool.Described resource may be protected data, also may be certain Network or use in protected program or flow process etc.
S804A: business in the resource pool or application software upwards hereinafter sensing module send user resources and insert the request event notice.
S804B: simultaneously, business in the resource pool or application software are sent authorization requests to the self-organizing authorization module.
Need to prove that S804A and S804B both can adopt the synchronous working pattern, promptly set up user's actual time safety strategy and initiate authentication application to the self-organizing authentication module and carry out simultaneously; Also can adopt the asynchronous working pattern, wait for that promptly set up user's actual time safety strategy finishes after, use S826 to finish the resource use authority in the mode of notice.
S806A: the context-aware module is sent security-related user's context to the security strategy module.
S808: the security strategy module is according to the user's context received, in conjunction with basic security policycomponents, and initialization user's actual time safety strategy, and start the life cycle management of this security strategy.
S806B: the self-organizing authorization module sends authentication request to the self-organizing authentication module.
Need to prove that the same with aforesaid S804A, S804B, S806A and S806B both can adopt the synchronous working pattern, also can adopt the asynchronous working pattern.
S810: the self-organizing authentication module sends user's actual time safety policy lookup request to the security strategy module.
S812: the security strategy module is returned corresponding user's actual time safety strategy to the self-organizing authentication module.
Need to prove that in actual the use, if return effective security strategy, the self-organizing authentication module can use this security strategy to reconfigure the user's of self-organizing authentication module real-time authentication mechanism.When being returned as emptyly or overtime when not returning the effective and safe strategy, the self-organizing authentication module has following abnormality processing flow process: mode one is to notify the user this authentification failure, requires the user to provide effective authentication needed voucher once more; Mode two is that the resource of directly refusing this user inserts application, repeats S810 more automatically after at certain time intervals.
S814: the self-organizing authentication module uses corresponding user's actual time safety strategy, based on the authentication knowledge base, sets up each user's actual time safety authentication mechanism.After authentification of user passes through, self-organizing authentication module notice self-organizing authorization module, and to the relevant user's of self-organizing authorization module transmission actual time safety strategy.
S816: the self-organizing authorization module uses corresponding user's actual time safety strategy, based on the security decision storehouse, sets up each user's real-time authorization mechanism, and definite user's ultimate authority authority.The self-organizing authorization module sends authorization privilege information to resource pool.Relevant performance element in the resource pool (as software application etc.) will carry out next step flow processing according to user's ultimate authority situation
Need to prove that the self-organizing authorization module need use user's actual time safety licensing scheme, make a strategic decision corresponding licensing scheme and the corresponding resource authorization authority of this user.
S818: the user uses resource according to authorization privilege.
S820: the context-aware module listens to the effective altering event of user's context.
Need to prove, in actual the use, the user's context altering event that the context-aware module is listened to, both might be that the simple or complicated validity event that can cause S822 (enters or withdraw from a certain application scenarios as the user, or the network that the user inserted switches etc.), also may be some useless simple or complicated events.In this case, the context events processing components has the event filtering function, to know described validity event.
S822: the context-aware module sends Notification of Changes to the security strategy module.
S824: the security strategy module is upgraded user's actual time safety strategy.
S826: the security strategy module will show that the security strategy update notification sends to the self-organizing authentication module.
S828: the self-organizing authentication module sends the authentication update notification to the self-organizing authorization module.
S830: the self-organizing authorization module upgrades and policy update according to authentication, the new user resources authority after resource pool sends policy update.
S832: the user utilizes resource pool to keep or switches user resources.
In conjunction with the various embodiments described above as can be known, the present invention realizes that the operation thinking of the personalized safe access control of resource can represent flow process as shown in Figure 9, and this flow process may further comprise the steps:
Step 910: in passive or mode initiatively, obtain the feature identity information of user's association by the context-aware module, and the environment of this identity information association and resource capability characteristic information; After the filtration and processing of the situation of change of described characteristic information through the context-aware module, form events corresponding and be notified to the security strategy module, the security strategy module is determined user's actual time safety strategy based on user's context situation of change and the set of basic security strategy.
Step 920: in described user's the configurable life cycle of actual time safety strategy, the mode that authentication module and authorization module receive with inquiry or notice, obtain user's actual time safety strategy from the security strategy module, dynamically update user's authentication mechanism and licensing scheme in view of the above.
In order to guarantee that the various embodiments described above and operation thinking can realize smoothly, can carry out setting as shown in figure 10.Referring to Figure 10, Figure 10 realizes the personalized safe system of access control figure of resource for the embodiment of the invention, and this system comprises continuous actual time safety strategic decision-making unit, authentication and licensing scheme decision package.
When practical application, the actual time safety strategic decision-making unit incident that based on context sensing module provided based on basic security strategy set, is determined user's actual time safety strategy.Described user's real-time authentication and licensing scheme be set up, upgrade or be nullified to authentication and licensing scheme decision package can automatically according to the described actual time safety strategic decision-making fixed described user's in unit actual time safety strategy.
In sum as seen, no matter be method or system, the present invention realizes the technology of the personalized safe access control of resource, the user's context cognition technology is combined with user's actual time safety strategy, and in the user uses the whole life of resource, automatically upgrade the corresponding authentication and authorization mechanism of each user, has following advantage: at first, can (comprise environment according to characteristic information around the user effectively, network, professional ability resource etc.) variation, dynamically provide the seamless access control service ability of resource whenever and wherever possible, effectively the continuity and the dynamic of the security service of holder networked resources for the user; Secondly, can be provided at the security service support of the personalization under the complex network environment for the user, thereby greatly promote the satisfaction of user experience; Have high efficiency, easy exploiting when at last, realizing the personalized safe access control of resource and dispose easily.
The above is preferred embodiment of the present invention only, is not to be used to limit protection scope of the present invention.
Claims (15)
1. method that realizes the personalized safe access control of resource is characterized in that this method comprises:
In passive or mode initiatively, obtain the feature identity information of user's association by the context-aware module, and the environment of this identity information association and resource capability characteristic information; After the filtration and processing of the situation of change of described characteristic information through the context-aware module, form events corresponding and be notified to the security strategy module, the security strategy module is determined user's actual time safety strategy based on user's context situation of change and the set of basic security strategy; In described user's the configurable life cycle of actual time safety strategy, authentication module and authorization module obtain user's actual time safety strategy in the mode that inquiry or notice receive from the security strategy module, dynamically update user's authentication mechanism and licensing scheme in view of the above.
2. method according to claim 1 is characterized in that, the process of described definite user's actual time safety strategy comprises:
With active or passive mode, obtain the feature identity information related by the context-aware module with each user, and associated environment and the resource capability characteristic information of this feature identity information; The filtration of the above-mentioned information via context-aware module that relates to feature and handle after, form events corresponding and be notified to the security strategy module, the security strategy module based on basic security strategy set, is set up the actual time safety strategy that is associated with the user according to the event change situation;
The process of upgrading described authentication and authorization mechanism comprises: described user's actual time safety strategy is offered self-organizing authentication module and self-organizing authorization module by the mode of inquiring about feedback or notice, self-organizing authentication module and self-organizing authorization module are according to the security strategy of receiving, based on authentication knowledge base and security decision storehouse, set up and upgrade the real-time authentication mechanism and the resource authorization authority of relative users automatically respectively.
3. method according to claim 1 is characterized in that, when setting up described user's actual time safety strategy, the security strategy module based on basic security strategy set, is set up the actual time safety strategy that is associated with the user according to the user resources request.
4. method according to claim 1; it is characterized in that; when self-organizing authentication module and self-organizing authorization module are set up described authentication mechanism and resource authorization authority; actual time safety strategy according to each user who sets up; for the user automatically dynamically provides corresponding real-time authentication mechanism and licensing scheme, use locked resource according to authorization privilege to support each user.
5. method according to claim 2, it is characterized in that, when described context-aware module is obtained the described information that relates to feature, dynamically perception, processing and transmission user linked character information change situation, and with event mode notice security strategy module, the security strategy module is upgraded user's actual time safety strategy.
6. according to each described method of claim 2 to 5, it is characterized in that,
Described actual time safety strategy has the life cycle of configurable foundation, operation, renewal and cancellation;
In the life cycle of user's actual time safety strategy, each user's that self-organizing authentication module and self-organizing authorization module are safeguarded real-time authentication and licensing scheme have the life cycle of corresponding foundation, operation, renewal and cancellation.
7. according to each described method of claim 2 to 5, it is characterized in that this method also comprises:
The user withdraws from resource, and the security strategy module is nullified corresponding user's actual time safety strategy; Self-organizing authentication module and self-organizing authorization module are nullified corresponding authentication mechanism and licensing scheme.
8. realize the personalized safe system of access control of resource for one kind, it is characterized in that this system comprises actual time safety strategic decision-making unit, authentication and licensing scheme decision package; Wherein,
Described actual time safety strategic decision-making unit is used for the incident that based on context sensing module provided, and based on basic security strategy set, determines user's actual time safety strategy;
Described authentication and licensing scheme decision package are used for the actual time safety strategy according to the described actual time safety strategic decision-making fixed described user in unit, set up, upgrade or nullify described user's real-time authentication and licensing scheme automatically.
9. system according to claim 8 is characterized in that, described actual time safety strategic decision-making unit comprises context-aware module, security strategy module; Described authentication and licensing scheme decision package comprise: self-organizing authentication module, self-organizing authorization module; Wherein,
Described context-aware module is used for obtaining the feature identity information related with each user automatically, and associated environment and the resource capability characteristic information of this feature identity information; And after the above-mentioned information via that relates to feature is filtered and handles, form events corresponding and be notified to the security strategy module;
Described security strategy module is used for according to the event change situation, based on the set of basic security strategy, sets up the actual time safety strategy that is associated with the user and offers self-organizing authentication module and self-organizing authorization module by inquiry feedback or the mode notified;
Described self-organizing authentication module and self-organizing authorization module are used for according to automatic real-time authentication mechanism and the resource authorization authority of setting up and upgrading relative users of the security strategy of receiving.
10. system according to claim 9, it is characterized in that when setting up described user's actual time safety strategy, described security strategy module is used for according to the user resources request, based on basic security strategy set, set up the user's who is associated with the user actual time safety strategy;
At least include but not limited to context driven unit, life cycle management assembly, basic security policycomponents, security policy manager interface and user's actual time safety policy components in the described security strategy module.
11. system according to claim 9, it is characterized in that, when described self-organizing authentication module and self-organizing authorization module are set up described user's real-time authentication mechanism and resource authorization authority, be used for actual time safety strategy according to each user who sets up, respectively based on authentication knowledge base and security decision storehouse, for the user automatically dynamically provides corresponding authentication mechanism and licensing scheme, use locked resource according to authorization privilege to support each user;
At least include but not limited to following assembly in the described self-organizing authentication module: authentication knowledge base, self-organizing processing components, user's real-time authentication assembly and life cycle management assembly;
At least include but not limited to following assembly in the described self-organizing authorization module: security decision storehouse, self-organizing processing components, user's real-time authorization assembly and life cycle management assembly.
12. system according to claim 9, it is characterized in that, when described context-aware module is obtained the described information that relates to feature, be used for dynamic perception, processing and transmission user linked character information change situation, and, trigger the actual time safety strategy that the security strategy module is upgraded the user with event mode notice security strategy module;
At least include but not limited to sensor groups perception component, user role perception component, resource perception component, event handling assembly, event-driven assembly and Applied layer interface in the described context-aware module.
13. according to each described system of claim 9 to 12, it is characterized in that,
The life cycle that described user's actual time safety strategy has foundation, operation, renewal and nullifies;
In the life cycle of user's actual time safety strategy, each user's that self-organizing authentication module and self-organizing authorization module are safeguarded real-time authentication and licensing scheme have the life cycle of corresponding foundation, operation, renewal and cancellation.
14. according to each described system of claim 9 to 12, it is characterized in that,
When the user withdrawed from resource, described security strategy module also was used to nullify corresponding user's actual time safety strategy; Described self-organizing authentication module and self-organizing authorization module also are used to nullify corresponding user's real-time authentication mechanism and licensing scheme.
15. according to each described system of claim 9 to 12, it is characterized in that this system also comprises safety management module, be used for the basic security policing parameter of security strategy module, self-organizing authentication module and self-organizing authorization module is imported and managed.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110226183.5A CN102300212B (en) | 2011-08-08 | 2011-08-08 | A kind of method and system for realizing individualized resource security access control |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110226183.5A CN102300212B (en) | 2011-08-08 | 2011-08-08 | A kind of method and system for realizing individualized resource security access control |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102300212A true CN102300212A (en) | 2011-12-28 |
| CN102300212B CN102300212B (en) | 2018-05-22 |
Family
ID=45360310
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201110226183.5A Expired - Fee Related CN102300212B (en) | 2011-08-08 | 2011-08-08 | A kind of method and system for realizing individualized resource security access control |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102300212B (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102917346A (en) * | 2012-10-17 | 2013-02-06 | 浙江大学城市学院 | Security policy management system and method for Android-based application program during operation |
| CN103176817A (en) * | 2012-12-21 | 2013-06-26 | 中国电力科学研究院 | Linux security policy configuration method based on self-learning |
| CN103200059A (en) * | 2013-04-08 | 2013-07-10 | 中兴通讯股份有限公司南京分公司 | Secure network access processing method and device |
| CN103560994A (en) * | 2013-08-16 | 2014-02-05 | 中山大学 | Context-aware-based security access control method for RFID system |
| CN103607305A (en) * | 2013-11-26 | 2014-02-26 | 北京华胜天成科技股份有限公司 | Distributed network strategy implementation method and device |
| CN104883405A (en) * | 2015-06-12 | 2015-09-02 | 重庆科创职业学院 | Intelligent household IoT safety protection system and control method thereof |
| CN108062483A (en) * | 2016-11-09 | 2018-05-22 | 中国移动通信有限公司研究院 | The method, apparatus and terminal that a kind of application accesses to system resource |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2005104455A2 (en) * | 2004-04-27 | 2005-11-03 | Nokia Corporation | Providing security in proximity and ad-hoc networks |
| CN101694629A (en) * | 2009-10-23 | 2010-04-14 | 北京邮电大学 | Context sensing application platform based on main body and work method thereof |
-
2011
- 2011-08-08 CN CN201110226183.5A patent/CN102300212B/en not_active Expired - Fee Related
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2005104455A2 (en) * | 2004-04-27 | 2005-11-03 | Nokia Corporation | Providing security in proximity and ad-hoc networks |
| CN101694629A (en) * | 2009-10-23 | 2010-04-14 | 北京邮电大学 | Context sensing application platform based on main body and work method thereof |
Non-Patent Citations (3)
| Title |
|---|
| OSCAR GARCIA-MORCHON,KLAUS WEHRLE: "Efficient and Context-Aware Access Controlfor Pervasive Medical Sensor Networks", 《IEEE》 * |
| 姚寒冰1 , 胡和平2 , 李瑞轩2: "上下文感知的动态访问控制模型", 《计算机工程与科学》 * |
| 张沙沙, 姜 华, 谢圣献, 李秋静: "基于上下文感知的RBAC 动态访问控制研究", 《学术.技术》 * |
Cited By (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102917346A (en) * | 2012-10-17 | 2013-02-06 | 浙江大学城市学院 | Security policy management system and method for Android-based application program during operation |
| CN102917346B (en) * | 2012-10-17 | 2015-01-07 | 浙江大学城市学院 | Security policy management system and method for Android-based application program during operation |
| CN103176817A (en) * | 2012-12-21 | 2013-06-26 | 中国电力科学研究院 | Linux security policy configuration method based on self-learning |
| CN103176817B (en) * | 2012-12-21 | 2016-08-10 | 中国电力科学研究院 | A kind of Linux security policy configuration based on self study |
| CN103200059A (en) * | 2013-04-08 | 2013-07-10 | 中兴通讯股份有限公司南京分公司 | Secure network access processing method and device |
| CN103200059B (en) * | 2013-04-08 | 2019-05-24 | 中兴通讯股份有限公司 | Secure network access processing method and device |
| CN103560994A (en) * | 2013-08-16 | 2014-02-05 | 中山大学 | Context-aware-based security access control method for RFID system |
| CN103607305A (en) * | 2013-11-26 | 2014-02-26 | 北京华胜天成科技股份有限公司 | Distributed network strategy implementation method and device |
| CN103607305B (en) * | 2013-11-26 | 2017-03-15 | 北京华胜天成科技股份有限公司 | A kind of distributed network strategy implementation method and device |
| CN104883405A (en) * | 2015-06-12 | 2015-09-02 | 重庆科创职业学院 | Intelligent household IoT safety protection system and control method thereof |
| CN104883405B (en) * | 2015-06-12 | 2018-07-06 | 重庆科创职业学院 | Smart home Internet of Things security protection system and its control method |
| CN108062483A (en) * | 2016-11-09 | 2018-05-22 | 中国移动通信有限公司研究院 | The method, apparatus and terminal that a kind of application accesses to system resource |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102300212B (en) | 2018-05-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102300212A (en) | Method and system for realizing individualized resource security access control | |
| Roman et al. | Securing the internet of things | |
| CN104346548A (en) | Wearable equipment and authentication method thereof | |
| CN103905651A (en) | Method and system for application permission management in intelligent terminal | |
| CN108986806A (en) | Sound control method and system based on Sounnd source direction | |
| CN104615004A (en) | Intelligent household electrical appliance operating authorization control method and device | |
| CN102495985B (en) | Role access control method based on dynamic description logic | |
| CN104159294A (en) | Cloud positioning platform based on Bluetooth 4.0 technology | |
| CN103684878A (en) | Operating command parameter control method and device | |
| US11683395B2 (en) | Mechanisms for an intelligent service layer request abstraction service | |
| US20090210930A1 (en) | Method of authenticating a client, identity and service providers, authentication and authentication assertion request signals and corresponding computer programs | |
| CN106549862B (en) | Personification intelligent home gateway and access method | |
| CN105262780A (en) | Authority control method and system | |
| Gioia et al. | AMBER: An advanced gateway solution to support heterogeneous IoT technologies | |
| CN105808042B (en) | A kind of information processing method and electronic equipment | |
| CN104660626A (en) | Controlling method and device of smart terminal | |
| EP2894912A1 (en) | Method and apparatus for gateway management terminal | |
| KR100839535B1 (en) | Reasoning Engine and Method for context adaptive service based on profile of multi user | |
| KR100864076B1 (en) | Method for discovering a facility service using by mobile device, and facility service operating system | |
| CN114221829B (en) | Edge side intelligent home management method and system | |
| Mongiello et al. | Reios: Reflective architecting in the internet of objects | |
| CN108111480B (en) | Data processing method | |
| CN104378202A (en) | Information processing method, electronic terminal and server | |
| Ystgaard et al. | Bring the human to the network: 5G and beyond | |
| CN115348021A (en) | Identity authentication and authorization management module of IoT Hub system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20180522 Termination date: 20200808 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |